Home Depot sued by customer in federal court over data breach

(Reuters) – Home improvement retailer Home Depot Inc has been sued over data breach by a customer, saying the company failed to properly safeguard customer data from hackers, a lawsuit filed in a Chicago federal court showed on Tuesday.

The lawsuit comes a day after Home Depot confirmed that its payment security systems have been breached, potentially impacting its customers in stores across the United States and Canada.

Illinois resident Kelsey O’Brien filed the lawsuit, seeking class-action status, compensatory and punitive damages and credit card monitoring services for a period of three years.

O’Brien said he used his credit card at two Home Depot stores on May 19 and June 2 and had his personal financial information exposed.

Home Depot had failed to comply with reasonable security standards at the expense and to the severe detriment of its own customers, the lawsuit said.

Several stolen card details were placed for sale on an underground website notorious for offering stolen card data and were being used to change the PIN numbers, it said.

“We haven’t seen the suit yet and right now we are focused on our customers and the investigation, so it would be premature to comment,” Stephen Holmes, a Home Depot spokesman said.

The retailer said there was no evidence that online customers were affected or debit personal identification numbers (PINs) were compromised, but experts fear the attack could rival Target Corp’s massive breach last year.

Home Depot said customers who shopped at its stores as far back as April were exposed, suggesting the breach extended through the busy summer season.

The company, which had said earlier it would roll out PIN- and chip-enabled cards at all its U.S. stores, has promised free identity-protection services, including credit monitoring, to any potentially impacted customers.

The breach was first reported by security website KrebsOnSecurity last Tuesday. Krebs said on Sunday that Home Depot’s systems were hit by a variant of the same malware that compromised Target’s systems last year.

Target’s data breach weeks before Christmas led to theft of about 40 million credit and debit card records and 70 million other records with customer details.

Two senators asked the federal government to investigate the Home Depot breach and five U.S. states launched a probe into the matter on Tuesday as fallout from last week’s attack intensified.

Home Depot runs 2,266 stores across the United States and Canada. The company’s shares closed down about 2 percent at $88.93 on the New York Stock Exchange on Tuesday.